Power Apps – Content Security Policy enforcement for Power Apps code apps

Originally posted by Microsoft Jan 18, 2026 Uncategorized 0 Comments

Starting on January 26, 2026, we will introduce strict Content Security Policy (CSP) enforcement for Power Apps code apps (preview). CSP is a security feature that protects apps from malicious content by restricting which external sources an app can access.

How does this affect me?

After January 30, 2026, Power Apps code apps that call assets outside of Power Apps domains will have those requests blocked by default. The code app will play, but these assets called from an external source will not load.

Please visit How to: Configure Content Security Policy (preview) – Power Apps for more information about the default CSP configuration.

What action do I need to take?

To enable your code app to call assets from external sources, you will need to allowlist any required external sources using the CSP configuration settings in the Power Platform admin center.

To prepare for this change, we recommend you configure CSP by using Power Platform admin center and follow the steps below. We recommend taking these steps if you are unsure about what your CSP configuration should be, and your code app is business critical:

  1. Temporarily toggle off the Enforce content security policy setting.
  2. Toggle on the Enable reporting setting.
  3. Test which sources need to be added to your allowlist after the enforcement date of January 30, 2026.
  4. Add the required sources to your allowlist.
  5. Toggle on the Enforce content security policy setting.

enable reporting

Please contact Microsoft Support if you need further assistance.

Message ID: MC1218747

Comments are closed.

Joao Ferreira

I've been working with Microsoft Technologies over the last ten years, mainly focused on creating collaboration and productivity solutions that drive the adoption of Microsoft Modern Workplace.

%d bloggers like this: